DevHeads.net

Re: OpenDKIM not signing

What's your key-size?
My DNS provider does not support 2048, I found it out the hard way. 1024
seems to be the most popular size and google demands at least 1024.
Ounce you get the signing working you can regen a 2048 and check if you
can feed it in DNS TXT, but for first testing stick to 1024

Comments

Re: OpenDKIM not signing

By Bill Cole at 04/09/2019 - 08:50

Note that this is usually due to a 255-character limit on a single
string in a TXT record. This is because the character-string type in DNS
is defined as a classical Pascal string: a single length byte followed
by the content.

There is a workaround supported by most DNS servers: using multiple
strings in a single TXT record. This is a part of the DNS standard (RFC
1035) so if your DNS service provider does not allow it, they are not a
real DNS provider. :)

Re: OpenDKIM not signing

By Scott Kitterman at 04/09/2019 - 11:53

On Tuesday, April 09, 2019 08:50:52 AM Bill Cole wrote:
It's not that rare. In fact it's the reason that RFC 8301 says MUST 1024,
SHOULD 2048. If we'd thought it wouldn't have caused significant operational
problems for domains that don't host their own DNS, we'd have gone straight to
MUST 2048 for additional future proofing.

Lots of domains have DNS provided by the domain name registrar (i.e. not a
real DNS provider, I guess).

Scott K